May, 25, 2018. Mark the date. This is when the much-discussed General Data Protection Regulation (GDPR) will come into effect. A significant, wide-ranging piece of legislation which will, no doubt, have a major effect on the world of cybersecurity and data protection, the GDPR was passed by the European Union on April 27, 2016 to frame a new set of regulations around data security and protection for individuals within the European Union.
The full text of the regulation can be read here while the official website of GDPR offers quick summaries of the key points of the legislation, along with some Frequently Asked Questions. In a nutshell, the GDPR aims to update the rules and regulations surrounding data privacy for EU citizens in an increasingly digital world. The territorial scope has increased, stiffer penalties have been defined and will be imposed and conditions for data consent have also been formulated.
Importantly, the regulation, while applying to EU citizens, is not restricted to just the European Union. In fact, the regulation “applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location”. Hence, if an organization deals with the personal data of any EU subject, say through a website, they will come under the purview of the regulation.
Now that is clear that the scope of the regulation is quite wide-ranging, the other thing organizations must note is the steep fines which they can incur for breach of the regulations. Sanctions can range from warnings for a first-time and non-intentional offence but that can rise to fines of up to a humongous 20 million Euros or 4% of the annual turnover, whichever is higher, for high-level infringements. This is a huge amount of money and is likely to cripple organizations if fined. Hence, the best case for organizations is to ensure they start planning to comply with the legislation before D-Day (25th March, 2018).
Creating a plan for compliance
The first level of preparation for GDPR is about assessment and review. A company should ideally run a proper security audit to understand the extent to which they come under the GDPR and come up with a plan to ensure compliance as soon as possible and definitely before the date of implementation. Relooking data privileges can be a good first step as context-aware security standards and controls can help organizations with GDPR compliance. With the rise of cloud-based applications, organizations must start implementing controls and permissions, according to the specific requirements. After all, a “one size fits all” solution does not work when it comes to dealing with cybersecurity threats.
Protection of data, which is a key objective of GDPR, can be more easily achieved by reducing the number of privileged users. When a large group of users have administrative access, an organization becomes very vulnerable to data breaches and other security threats. It is important to be dynamic when granting access and provide such access on a case-to-case and user-specific basis.
Implementing security controls
Similarly, GDPR compliance can also be achieved by focusing on the basics in place. Companies must ensure that their on-boarding and off-boarding processes are transparent, effective and fast. Access rights of employees who have left an organization must be revoked and there must be a proper framework for the same. Ransomware and malware attacks can be prevented by implementing hash-level, granular security controls through digital signage. Other methods which network administrators could consider are blocking access to files and specific websites, locking down external devices, preventing file saves on corporate devices, etc. It is also incumbent for an organization to maintain records and reports related to user access as the ability to track, log and report will make the organization GDPR-related.
With the deadline is arriving fast, organizations can consider roping in security solutions provider like Seqrite to help them become GDPR compliant. Seqrite offers GDPR risk assesement and includes features like anti-ransomware and encryption, helping organizations to comply with the guidelines.